The npm ecosystem includes many third-party tools and plugins that can extend npm's functionality. Understanding these tools can help developers manage projects more efficiently.
Package Management Tools
1. npm-check-updates
Check and update dependency versions in package.json.
# Install npm install -g npm-check-updates # Check for updates ncu # Update package.json ncu -u # Check specific dependency types ncu --dep prod ncu --dep dev ncu --dep dev,peer # Use specific registry ncu --registry https://registry.npmmirror.com
Output Example:
Checking package.json [====================] Severity: minor lodash ^4.17.20 → ^4.17.21 minor express ^4.17.1 → ^4.18.0 major react ^17.0.0 → ^18.0.0 Run ncu -u to upgrade package.json
2. npm-check
Interactive check of package status and updates.
# Install npm install -g npm-check # Check packages npm-check # Interactive update npm-check -u # Skip updates npm-check -y # Ignore specific packages npm-check --ignore-unused
3. depcheck
Check for unused dependencies and missing dependencies.
# Install npm install -g depcheck # Check for unused dependencies depcheck # Ignore specific packages depcheck --ignore-missing=package-name # Use custom configuration depcheck --config depcheck-config.json # Check specific directory depcheck ./src
Output Example:
Unused dependencies * lodash * moment Unused devDependencies * eslint Missing dependencies * axios (used in src/api.js)
Security Tools
1. Snyk
Powerful security vulnerability scanning and fixing tool.
# Install npm install -g snyk # Authenticate snyk auth # Scan for vulnerabilities snyk test # Fix vulnerabilities snyk wizard # Monitor project snyk monitor # CI/CD integration snyk test --severity-threshold=high
GitHub Actions Integration:
- name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
2. npm audit fix
npm built-in security fixing tool.
# Automatic fix npm audit fix # Force fix npm audit fix --force # Fix only production dependencies npm audit fix --production # View fix details npm audit fix --dry-run
3. retire.js
Check for known vulnerabilities in JavaScript libraries.
# Install npm install -g retire # Scan project retire --path <project-path> # Output JSON format retire --outputformat json # Use custom database retire --outputpath <custom-db>
Performance Tools
1. npm-packlist
Determine which files will be included in the published package.
# Install npm install -g npm-packlist # List files npm-packlist # Output JSON format npm-packlist --json # Check specific package npm-packlist <package-path>
2. bundlephobia
Analyze package size and performance impact.
# Use online # Visit https://bundlephobia.com/ # View package size # Enter package name, e.g., "lodash"
3. cost-of-modules
Calculate maintenance cost of project dependencies.
# Install npm install -g cost-of-modules # Calculate cost cost-of-modules # Output JSON format cost-of-modules --json # Sort by cost cost-of-modules --sort
Code Quality Tools
1. npm-check-updates
In addition to checking updates, it helps maintain code quality.
# Check for updates and auto-update ncu -u # Only update patch versions ncu -u --target patch # Only update minor versions ncu -u --target minor
2. npm-run-all
Run multiple npm scripts in parallel or sequence.
# Install npm install -g npm-run-all # Run in parallel run-p lint test # Run in sequence run-s clean build test # Mixed run run-s clean run-p lint test
package.json Example:
{ "scripts": { "clean": "rimraf dist", "lint": "eslint src/", "test": "jest", "build": "webpack", "all": "run-s clean run-p lint test build" } }
3. concurrently
Run multiple commands simultaneously.
# Install npm install -g concurrently # Run multiple commands concurrently "npm run dev" "npm run test:watch" # Use prefixes concurrently --names "API,WEB" --prefix-colors "blue,green" "npm run api" "npm run web" # Kill other processes on success concurrently --kill-others "npm run dev" "npm run test"
Documentation Tools
1. jsdoc
Generate JavaScript documentation.
# Install npm install -g jsdoc # Generate documentation jsdoc src/ # Use configuration file jsdoc -c jsdoc.conf.json # Output to specific directory jsdoc src/ -d docs/
2. documentation.js
Modern JavaScript documentation generator.
# Install npm install -g documentation # Generate documentation documentation build src/ -f html -o docs/ # Generate Markdown documentation build src/ -f md > API.md # Generate JSON documentation build src/ -f json > api.json
Testing Tools
1. nyc
Command line interface for Istanbul, used for code coverage.
# Install npm install -g nyc # Run tests and generate coverage nyc npm test # Generate report nyc report --reporter=html # Coverage threshold nyc --check-coverage --lines 80 npm test
2. testdouble
Test double library for testing.
# Install npm install -g testdouble # Create test double const td = require('testdouble'); const fn = td.function(); fn('arg1', 'arg2'); td.verify(fn('arg1', 'arg2'));
Build Tools
1. webpack
Module bundler for modern JavaScript applications.
# Install npm install -g webpack webpack-cli # Build webpack # Use configuration file webpack --config webpack.config.js # Watch mode webpack --watch # Production mode webpack --mode production
2. rollup
Next-generation JavaScript module bundler.
# Install npm install -g rollup # Build rollup src/main.js -f cjs -o bundle.js # Use configuration file rollup -c rollup.config.js # Watch mode rollup -c -w
Development Tools
1. nodemon
Auto-restart Node.js applications.
# Install npm install -g nodemon # Run application nodemon app.js # Watch specific files nodemon --watch src/ app.js # Ignore specific files nodemon --ignore tests/ app.js # Delay restart nodemon --delay 2 app.js
package.json Example:
{ "scripts": { "dev": "nodemon app.js", "dev:debug": "nodemon --inspect app.js" } }
2. live-server
Simple development server with hot reload support.
# Install npm install -g live-server # Start server live-server # Specify port live-server --port=8080 # Specify root directory live-server --root=dist/ # Ignore specific files live-server --ignore=node_modules/
Publishing Tools
1. np
Better npm publishing tool.
# Install npm install -g np # Publish np # Publish specific version np 1.2.3 # Publish to specific tag np --tag beta # Skip tests np --yolo # Skip Git commit np --no-cleanup
2. semantic-release
Automated version management and publishing.
# Install npm install -g semantic-release # Configure # .releaserc.json { "branches": ["main"], "plugins": [ "@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator", "@semantic-release/npm", "@semantic-release/github" ] }
CI/CD Tools
1. husky
Git hooks management tool.
# Install npm install -g husky # Initialize husky install # Add hook husky add .husky/pre-commit "npm test" # Add commit-msg hook husky add .husky/commit-msg 'commitlint -E HUSKY_GIT_PARAMS'
package.json Example:
{ "scripts": { "prepare": "husky install" } }
2. lint-staged
Run linters on staged files.
# Install npm install -g lint-staged # Configure # .lintstagedrc.json { "*.js": ["eslint --fix", "git add"], "*.css": ["stylelint --fix", "git add"] }
package.json Example:
{ "husky": { "hooks": { "pre-commit": "lint-staged" } } }
Best Practices
1. Choose the Right Tools
- Package Management: npm-check-updates, npm-check
- Security: Snyk, npm audit
- Performance: bundlephobia, cost-of-modules
- Testing: nyc, testdouble
- Building: webpack, rollup
- Development: nodemon, live-server
2. Integrate into Workflow
# Add scripts in package.json { "scripts": { "check": "npm-check", "update": "ncu -u", "audit": "snyk test", "test:coverage": "nyc npm test" } }
3. Run Regularly
# Run update check weekly ncu # Run security audit before each commit npm audit # Run code check before each build npm run lint
4. Document Tool Usage
Explain tools used in project in README:
## Development Tools This project uses the following tools: - **npm-check-updates**: Check for dependency updates - **Snyk**: Security vulnerability scanning - **nodemon**: Auto-restart development server - **webpack**: Module bundler
Mastering these npm ecosystem tools can significantly improve development efficiency and code quality.